MEAN-SET ATTACK: CRYPTANALYSIS OF SIBERT ET AL. 
AUTHENTICATION PROTOCOL 



NATALIA MOSINA AND ALEXANDER USHAKOV 



Abstract. We analyze the Sibert et al. group-based (Feige-Fiat-Shamir type) 
authentication protocol and show that the protocol is not computationally 
zero-knowledge. In addition, we provide experimental evidence that our ap- 
proach is practical and can succeed even for groups with no efficiently com- 
putable length function such as braid groups. The novelty of this work is that 
we are not attacking the protocol by trying to solve an underlying complex al- 
gebraic problem, namely, the conjugacy search problem, but use a probabilistic 
approach, instead. 
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1. Introduction 

The group-based cryptography attracted a lot of attention after invention of 
the Anshel-Anshel-Goldfcld 1 and Ko-Lee et al. key-exchange protocols in 
1999. Since then a number of new cryptographic protocols, including public-key 
authentication protocols, based on infinite groups were invented and analyzed. One 
may consult [25 and [11 to learn more about general group-based cryptography. In 
this paper we consider a particular interactive group-based authentication scheme, 
Sibert et al. protocol (see [53], |11)). 

Recall that any interactive proof of knowledge system is a multi-round random- 
ized protocol for two parties, in which one of the parties (the Prover) wishes to 
convince another party (the Verifier) of the validity of a given assertion. Every in- 
teractive proof of knowledge should satisfy completeness and soundness properties 

m, my- 

Completeness: If the assertion is true, it should be accepted by the Verifier 
with high probability. 

Soundness: If the assertion is false, then the Verifier rejects it with high 
probability. 

If the Prover does not trust the Verifier and does not want to compromise any pri- 
vate information in the process of providing the proof of identity, then the following 
property, concerned with the preservation of security, becomes very important: 

Zero-Knowledge (ZK): Except the validity of the Prover's assertions, no 
other information is revealed in the process of the proof. 
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If a given protocol possesses the zero-knowledge property, then it is considered to 
be a zero-knowledge interactive proof system (,16]). 

There are three different notions of zero-knowledge that have been commonly 
used in the literature ([H], [16], [H]); namely, perfect zero- knowledge, statistical 
zero-knowledge, and computational zero-knowledge. The first notion is the most 
strict definition of ZK, which is rarely useful in practice. The last notion of the ZK 
property (computational zero-knowledge) is the most liberal notion, and it is used 
more frequently in practice than the others. 

Sibert et al. authentication protocol, is an example of an interactive (dynamic, 
randomized) proof system. In this paper, we use probabilistic tools, introduced 
in [27] and outlined in Section 12.31 below, to design an attack on this particular 
cryptographic primitive and show that it is not computationally zero-knowledge. 
In addition, we conduct some experiments that support our conclusions and show 
that the protocol is not secure in practice. 

I. 1. Description of the protocol. The Sibert's protocol is an iterated two-party 
three-pass Feige-Fiat-Shamir [M] type authentication protocol. There are two 
slightly different descriptions of the protocol available in [11] and [34] with two 
different key generation algorithms. In [31], the protocol is introduced as Scheme 

II. Here, we follow the description of the scheme from the survey [11], except for 
the minor notational modifications in the conjugation. These modifications do not 
affect the protocol and its cryptographic properties at all (inverting r and y in [11] 
would resolve it). In addition, [11] and [34] treat the protocol slightly differently 
themselves, with and without a collision-free one-way hash function, respectively. 
Nevertheless, it is not essential for our analysis. 

Let G be a (non-commutative, infinite) group, called the platform group and fi 
a probability measure on G. The Prover's private key is an element s € G, the 
Prover's public key is a pair {w,t), where w is an arbitrary element of the group 
G, called the base element, and t — s~^ws is a conjugate of w by s. In addition, 
we assume that H is a collision-free one-way hash function from G to {0, 1}^. A 
single round of the protocol is performed as follows: 

(1) The Prover chooses a random element r G G, called the nonce, according to 
the probability measure /i, and sends x = H{r~^tr), called the commitment, 
to the Verifier. 

(2) The Verifier chooses a random bit c, called the challenge, and sends it to 
the Prover. 

• If c = 0, then the Prover sends y — r to the Verifier and the Verifier 
checks if the equality x = Il(y^^ty) is satisfied. 

• If c = 1, then the Prover sends ?; = sr to the Verifier and the Verifier 
checks if the equality x = II{y~^wy) is satisfied. 

This round is repeated k times to guarantee the soundness error (i.e., probability 
that a cheating Prover will be able to convince the Verifier of a false statement) of 
order 2~'', which is considered to be negligible if k is large, say k > 100. The Sibert's 
protocol satisfies both, completeness and soundness, properties of interactive proof 
systems. 

In addition, ^34) describes another authentication protocol, the so-called Scheme 

III. which is different from the one described above. Even though techniques of this 
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paper do not directly apply to that protocol, we believe that using similar ideas, 
this scheme can be successfully attacked as well. 



1.2. Security of the protocol. Note that if an intruder (named Eve) can compute 
the secret element s or any element s' ^ G such that t = s'~^ws' , i.e., if Eve can 
solve the conjugacy search problem for G, then she can authenticate as the Prover. 
Thus, as indicated in [34], the computational difficulty of the conjugacy search 
problem for G is necessary for security of this protocol. 

Originally, it was proposed to use braid groups i?„ (see [H[T31[Tn]) as platform 
groups, because there was no efficient solution of the conjugacy search problem for 
Bn known. This motivated a lot of research about braid groups. As a result of 
recent developments ([3, 0, 0), there is an opinion that the conjugacy search 
problem for Bn can be solved in polynomial time. If that is true in fact, then the 
Sibert et. al. authentication protocol is insecure for Bn. Nevertheless, the same 
protocol can be used with other platform groups and, hence, it is important to 
have tools for analysis of this type of general Sibert protocols. We show in the 
present paper that it is not necessary to solve the conjugacy search problem for 
G to break the scheme. Instead, one can analyze zero-knowledge property of the 
protocol by employing ideas from probability theory and show that the protocol is 
insecure under a mild assumption of existence of an efficiently computable length 
function for the platform group G. Even for groups with no efficiently computable 
length function, such as Bn, a reasonable approximation can do the job. 

Now, let /i be a probability measure on a platform group G. We say that /i is 
left-invariant if for every A C_ G and g E G the equality fJ.{A) = fJ'igA) holds. The 
following result is proved in ^34) . 

Proposition ( [34j ) . Let G be a group. If the conjugacy search problem for G is 
computationally hard (cannot be solved by a probabilistic polynomial time Turing 
machine) and ^ is a left-invariant probability measure on G then the outlined above 
protocol is a zero knowledge interactive proof system. 

Clearly, there are no left-invariant probability measures on braid groups, used 
as platform groups in the protocol, and, therefore, as noticed in [TI] and [34], this 
protocol cannot be a perfect zero knowledge interactive proof system when used 
with an infinite group such as Bn. Nevertheless, it is conjectured in 34 that the 
scheme can be computationally zero knowledge for certain distributions /i on Bn- 
The authors supported that conjecture by statistical arguments based on length 
analysis. 



1.3. The idea of mean-set attack: the shift search problem. If we look at 
the protocol outlined in Section [TTTl we observe that the Prover sends to the Verifier 
a sequence of random elements of two types: r and sr, where r is a randomly gener- 
ated element and s is the Prover's secret element. Any passive eavesdropper (Eve) 
can arrange a table of challenge/response transactions, where each row corresponds 
to a single round of the protocol, as shown below. 
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Round 


Challenge 


Response type # 
1 


Response type # 
2 


1 


c = 1 




sri 


2 


c = 


r2 




3 


c = 


ra 




4 


c= 1 






5 


c = 


rs 












n 


c = 


Tn 





and obtain two sets of elements, corresponding to c = and c ~ \ respectively: 
^0 — {^ii J ■ • • I ''ifc } and R\ = {srjj , . . . , srj^ J. }, where all elements are dis- 
tributed according to /i, i.e., all these elements are generated by the same random 
generator. Eve's goal is to recover the secret element s based on the intercepted 
sequences i?o and Tl\. We call this problem a shift search problem. 

To explain the idea of the mean-set attack, assume for a moment that the group 
G is an infinite cyclic group Z. In that case, we can rewrite the elements of i?i 
in additive notation {s + r^^ , . . . , s + r^^ j. }. Then we can compute the empirical 
average ^ ^ X]m=i '"»m "-"^ elements in i?o C Z and the empirical average 

^1 = Er=i''(s + ^ji) = + Er=i'' '^ii of the elements in i?i C Z. By the 
strong law of large numbers for real- valued random variables the larger the sequence 
Rq is, the closer the value of tq to the actual mean E(^) of the distribution /i on Z, 
induced by r. Similarly, the larger the sequence Ri is, the closer the value of Ti is 
to the number s + E(/i). Therefore, subtracting rp from ri, we obtain a good guess 
of what s is. Observe three crucial properties that allow us to compute the secret 
element in the case G = Z: 

(AVI) (Strong law of large numbers for real-valued random variables) If 

is a sequence of independent and identically distribute (i.i.d.) real-valued 
random variables, then 

n 

n ^-^ 

i—l 

with probability one as n ^ oo, provided E(^i) < cxd. 
(AV2) ("Shift" property or linearity) For any real- valued random variable the 
formula 

E{c+o = c+no 

holds. 

(AV3) (Efficient computations) The average value ^ J27=i efficiently com- 
putable. 

Geometrically, we can interpret this approach as follows. Given a large sample 
of random, independent, and identically distributed points r^^ , . . . , r^^ and a large 
sample of shifted points s+rj^ , . . . , s+rj^_^ on the real line, the shift s is "effectively 
visible" . 

It turns out that the same is true in general infinite groups. One can generalize 
a number of mathematical tools of the classical probability theory to finitely gen- 
erated groups (see [27] and Section [231 below) in order to have the counterparts of 
(AVI), (AV2), and (AV3). Indeed, 

• for a random group element ^ : ft ^ G, one can define a set E(^) C G 
called the mean-set, 
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• for a sample of n random group elements ^i, . . . ,^n, one can define their 
average - a set §„ — §(^i,...,^„) C G called the sample mean-set of 
elements ^i, . . . , 

so that we have a "shift" property E(s^) = slE(^) and a generalization of the 
strong law of large numbers (SLLN) for groups with respect to E(^) in a sense 
that §(^1, . . . converges to as n ^ oo with probability one (see Section 

12.31 for precise definitions and statements). In addition, assume that sample mean 
^(Ci) ■ • • ;Cn) is efficiently computable. Using the operator §, Eve can compute a 
set 

^{srj,,...,srj^_J ■ [§(r,,,...,riJ]-\ 

which should contain s with high probability when n is sufficiently large. This 
is the idea of the mean-set attack and our approach to the shift search problem. 
Furthermore, one can show that the more rounds of the protocol are performed, 
the more information about the secret key our attack gains (note that at the same 
time the protocol is iterated by its nature, and large number of rounds is important 
for its reliability in a sense of the soundness property). The discussion above leads 
to the main theoretical results of this paper, proved in Section |4l 

Theorem A. (Mean-set attack principle — I) Let G he a group, X a finite 
generating set for G , s ^ G a secret fixed element, and ^i,^2,-- - ^ sequence of 
randomly generated i.i.d. group elements, such that E^i = {g}. is a 

sample of random elements of G generated by the Prover, ci , . . . , Cn a succession of 
random bits (challenges) generated by the Verifier, and 

In ifa^O; 

[ sr, if a^l 

random elements representing responses of the Prover, then there exists a constant 
D ~ D(G,fi) such that 

P(^s(^s[{y^ I c, = I,i = I,...,n}) -§({2;, | c, = 0, i = 1, . . . , n}) < f ■ 

Theorem B. (Mean-set attack principle — II) //, in addition to the assump- 
tions of Theorem A, the distribution ji has finite support, then there exists a constant 
D = D{G,fi) such that 

P (^s ^ E(^{y, I c, = 1, J = I, . . . , n}) • | c, = 0, z = I, . . . , n}) "'^ < 0(e-^"). 

1.4. Outline. Section [2] reviews some necessary graph- and group-theoretic pre- 
liminaries that constitute the setting of our work. In Section 12. 3[ we recall the 
notion of the mean-set (expectation) of a (graph-)group-valued random element, 
introduced in [37], and main theorems relevant to this object to prepare the ground 
for the main results; in particular, we discuss the "shift" property, the strong law 
of large numbers, and the analogues of Chebyshev and Chernoff-like inequalities 
for graphs and groups. In Section [3l we propose an algorithm for computing mean- 
sets. Next, we turn to formulations and proofs of the main theoretical results of 
this paper, the mean-set attack principles under different assumptions. This task 
is carried out in Section 01 At the end of that section, we indicate that even if 
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the proposed algorithm fails, we can still gain some information about the secret 
key of the Prover. In other words, the more rounds of the protocol are performed, 
the more information about the secret key we can gain. In Section 15.11 we present 
results of our experiments with the classical key generation according to |llj . Sec- 
tion 15.21 is concerned with results of experiments with the alternative (special) key 
generation proposed by Sibert et al. in At the end, in Section IH we discuss 
possible methods for defending against the mean-set attack. 

2. Preliminaries 

Let us briefly recall some definitions of group and graph theory. For a better 
insight into graph theory, the reader is referred to [3S], while [21] can serve as a 
good introduction into group theory. 

2.1. Graphs. An undirected graph T is an ordered pair of sets {V, E) where 

• V = V{T) is called the vertex set; 

• E — E{T) is a set of unordered pairs (wi, W2) xV called the edge set. 

If e = {vi,V2) G E then we say that vi and V2 are adjacent in P. The number 
of vertices adjacent to v is called the degree of v. We say that the graph P is 
locally-finite if every vertex has a finite degree. 

A directed graph P is an ordered pair of sets {V, E) where E — E{T) is a set of 
ordered pairs {vi, V2) € V xV. If e = (vi, V2) € E, then we say that vi is the origin 
of the edge e, denoted by o(e), and V2 is the terminus of e, denoted by t{e). An 
undirected graph can be viewed as a directed graph in which a pair {vi,V2) G E 
serves as two edges (wi,f2) and {v2,vi). 

A path p in a directed graph P is a finite sequence of edges ei, . . . , e„ such that 
t(ej) = o(ej+i). The vertex o(ei) is called the origin of the path p and is denoted 
by o{p). The vertex i(e„) is called the terminus of the path p and is denoted by 
t(j)). The number n is called the length of the path p and is denoted by \p\. We say 
that two vertices vi,V2 G ^(r) are connected, if there exists a path from vi to V2 
in P. The graph P is connected if every pair of vertices is connected. 

The distance between vi and V2 in a graph P is the length d{vi, V2) of a shortest 
path between vi and V2- If vi and V2 are disconnected, then d{vi,V2) — 00. We say 
that a path p = ei, . . . , e„ from vi to V2 is geodesic in a graph P if d{o{p), t(j))) = 
d{vi,V2) = ri, i.e., if p is a shortest path from vi to V2- 

A path p = ei, . . . , e„ in a graph P is closed, if o(p) — t(p). In this case we say 
that p is a cycle in P. A path p is simple, if no proper segment of p is a cycle. The 
graph P is a tree if it does not contain a simple cycle. 

2.2. Groups and Cayley graphs. Consider a finite set, also called alphabet, X = 
{xi, . . . , Xn}, and let X^^ be the set of formal inverses {a;j~^, • . . , x~^} of elements 
in X. This defines an involution ~^ on the set X^^ :— X U X^^ which maps every 
symbol x € X to its formal inverse x~^ G X~^ and every symbol x^^ G X~^ to 
the original x E X. An alphabet X is called a group alphabet if X^^ C X, and 
there is an involution which maps elements of X to their inverses. An X -digraph 
is a graph {V, E) with edges labeled by elements in X^^ = X [J X^^ such that for 

any edge e = u ^ v there exists an edge v ^-^ u, which is called the inverse of e 
and is denoted by e~^. See [18] for more information on AT-digraphs. 
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Let G be a group and X C G a set of generators for G, i.e. G = {X). Assume 
that X is closed under inversion, i.e., X = X^^. The Cayley graph Cg(X) of G 
relative to X is a labeled graph {V,E), where the vertex set is = G, and the 
edge set E contains all edges of the form gi A g2 where gi,g2 & G, x & X and 
92 — gix and only them. The distance between elements gi, 52 S G relative to the 
generating set X is the distance in the graph Cg{X) between vertices gi and 172 or, 
equivalently, 

(ix(.9ii52) = minjri | gix'i'^x^^ . . .x'^" — 32 for some Xi X,ei — ±1}. 

2.3. Random (graph-)group elements. In this section, we recall some of the 
main notions and results of [27] that are employed further in the present paper. Let 
F = (V, E) be a locally-finite connected graph and (fi, J^, P) a probability space. 
A measurable mapping ^ : f2 — V(T) is called a random graph element defined on 
a given probability space. A random F-element ^ induces an atomic probability 
measure fi on ^(r) defined in a usual way as 

^l{v) = ^l^iv) = F{u; I a^) ^v},ve V{T). 

Define a weight function : V{T) — > R by 

sev{r) 

where s) is the distance between v and s in F. The domain of M is the set 

domain{M) = {v e V{T)\ ^ ^^(w, s)^^(s) < 00}. 

sev{r) 

It is proved in [37] that for any distribution ^ on V{r) either domain{M) — % or 
domain{M) = T^(F). In the case when domain{M) = V{T), we say that M{-) is 
totally defined. Given that domain{M) = V{T)^ the mean-set of a F-valued ^ is 
defined to be a set of vertices minimizing the weight function, i.e., 

(1) E(0 ^{ve V{r) I M{v) < M{u), Vw e T^(F)}. 

Sometimes we write E(/i) and speak of the mean-set of distribution fi. Using the 
Cayley graph construction one can similarly define a notion of the mean-set for a 
finitely generated group G (relative to a fixed generating set). Similar mean values 
(in different settings) are used rather often; see [U] for some history and literature 
sources. Below, we recall some results proved in [?7]. 

Lemma 2.1 ( 27)). Let ^ be a random T -element, where T is a connected locally- 
finite graph, with totally defined weight function M^(-). Then the mean-set E(^) is 
non-empty and finite. 

The next property is an analogue of the property E(c-|-^) = c+E^ for real- valued 
random variables. 

Proposition 2.2 (Shift property, [27]). Let G — {X) be a finitely generated group 
and g & G. Let ^ be a random G-element. Then for a random element defined 
by £,g(Lo) gi(Lo) we have E(e<,) = 5^(0- 

It is easy to see that this property follows from the fact that for any gi,g2,s G G the 
equality dx{gi,g2) = dx{sgi,sg2) holds, where dx{gi,g2) is the distance between 
elements (?i , 52 € G relative to X (see Section [5]) . 
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Now let ^1 , . . . , ^„ be a sample of independent and identically distributed graph- 
valued random elements : — !■ V^(r) defined on a given probability space 
{n,J-,F) and be the relative frequency 

|{i I = w, l<i<n}\ 

n 

with which the value v G V{T) occurs in the random sample ■ • ■ j ^nii^)- Let 

be the random weight, called the sampling weight, corresponding to u G V^X), and 
M„(-) the resulting random sampling weight function. The set of vertices 

§„ = §(^1, . . . ,60 ^{v^ V{T) I M^{v) < AU{u), Vu e v{r)} 

is called the sample mean-set (or sample center-set) relative to ^. The next theorem 
shows that the sets S„ and E(f ) in F play roles analogous to the classical average 
of real values and the classical expectation E of a real-valued random 

variable respectively, in the non-commutative case. In other words, the strong 
law of large numbers generalized to graphs and groups states that our (empirical) 
sample mean-set §„ converges to the (theoretical) mean-set E(^) as n — c». 

Theorem 2.3 (Strong law of large numbers, 07]). Let T be a locally-finite con- 
nected graph and {CijiSi o sequence of i.i.d. random T-elements. If the weight 
function A/jj(-) is totally defined and E(6) = {w} for some v £ ^(r), then 

lim S„ = E(ei) 

n— ^oo 

with probability one. 

Similar result holds for multi- vertex mean-sets. See [27] for technical conditions 
needed, as well as other details. The simplest version of multi- vertex SLLN in terms 
of limsup is as follows: 

Theorem 2.4 (Multi- Vertex SLLN, \21). LetT be a locally-finite connected graph 
and {S.i}fZi ^6 a sequence of i.i.d. random T-elements. Assume that the weight 
function Afjj(-) is totally defined and E(^) = {vi, . . . ,Vk}, where fc > 4. //E(6) C 
supp{ii) then 

lim sup §„ — E(6) 

n— >C30 

holds with probability one. 

Moreover, the following asymptotic upper bounds (analogues of the classical 
Chebyshev and Chernoff bounds) on convergence rate hold: 

Theorem 2.5 (Chebyshev's inequality for graphs, [17]). Let T be a locally-finite 
connected graph and sequence of i.i.d. random T-elements. If the weight 

function Mjj(-) is totally defined then there exists a constant C = C(r,6) > 
such that 

(2) p(§(a,...,en)2E(a))<-. 

n 

With an additional assumption on /i, we can get even Chernoff-like asymptotic 
bound. 
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Theorem 2.6 (Chernoff-like bound for graphs, [27]). Let T be a locally-finite con- 
nected graph and a sequence of i.i.d. random T -elements. If the weight 
function is totally defined and /i^^ has finite support, then for some constant 
C > 

(3) p(§(ei,...,en)2E(ei)) <0(e-^"). 

3. Effective computation of a mean-set 

Let G be a group and {Ci}"=i ^ sequence of random i.i.d. elements taking values 
in G such that the corresponding weight function Af (•) is totally defined. In Section 
12. 3( we introduced a notion of the mean-set of that satisfies the desirable properties 
(AVI) and (AV2) of Section [T!3l One of the technical difficulties encountered in 
practice is that, unlike the classical average value {xi -I- . . . -|- Xn)/n for real-valued 
random variables, the sample mean-set §„ is hard to compute. In other words, in 
general, our definition of the meat-set might not satisfy the property (AV3). 

Several problems arise when trying to compute S„: 

• Straightforward computation of the set {M{g) \ g e G} requires at least 
0(|Gp) steps. This is computationally infeasible for large groups G, and 
impossible for infinite groups. Hence we might want to reduce the search 
of a minimum to some small part of G. 

• There exist infinite groups in which the distance function d{-,-) is very 
difficult to compute. The braid group -Boo is an example for such a group. 
The computation of the distance function for B^o is known to be NP-hard, 
see [31]. Such groups require special treatment. 

Moreover, there exist infinite groups for which the distance function d{-, ■) 
is not computable. We omit consideration of such groups. 

We devise a heuristic procedure to solve the first problem. As proved in [27], 
if the weight function M(-) satisfies certain local monotonicity properties, then 
our procedure achieves the desired result. Our algorithm is a simple direct descent 
heuristic, in which we use the sample weight function M„ that comes from a sample 
of random group elements {gi, . . . , g„} from a finitely-generated group G. 

Algorithm 3.1 (Direct Descent Heuristic). 

Input: A group G with a finite set of generators X C G and a sequence of elements 
{gi, . . . ,g„} in G. 

Output: An element g £ G that locally minimizes M„(-). 
Computations: 

A. Choose a random g E G according to some probability measure v on G. 

B. If for every x £ X^^, Mn{g) < Mn{gx), then output g. 

C. Otherwise put g ^ gx, where a; G AT* ^ is an element minimizing the value 
of Mn{gx) and go to step B. 

As any other direct descend heuristic method. Algorithm 13.11 might not work if 
the function M„ has local minima. It is proved in [57] that it always works for trees 
and, hence, for free groups. 

Theorem 3.2 (|27j). Let fj, be a distribution on a locally-finite tree T such that 
a function M is totally defined. Then Algorithm \3.1\ for T and M finds a central 
point (mean-set) of n onT . 
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The second problem of computing §„ concerns practical computations of length 
function in G. It turns out that we need a relatively mild assumption to deal 
with it - the existence of an efficiently computable distance function dx{■^ ■)] even 
a "reasonable" approximation of the length function may work. In this work we 
approximate geodesic length using the method described in |23) . Even though it 
does not guarantee the optimal result, it was proved to be practically useful in a 
series of attacks, see [24l [30l [29l [22] . 

4. The mean-set attack 

In this section, we use theoretical results stated above to attack the Sibert et 
al. protocol, described in Section [TTTl In the following heuristic attack we use the 
Algorithm 13. II to compute sample mean-set §„. 

Algorithm 4.1. (The mean-set attack) 

Input: The Prover's public element {t,w) and sequences i?o and ^i as in the 
protocol. 

Output: An element z satisfying the equality t — z^^wz (which can be considered 

as the Prover's private key), or Failure. 

Computations: 

A. Apply Algorithm 13. II to i?o and obtain ^q. 

B. Apply Algorithm 13. II to Ri and obtain gi. 

C. If gig^^ satisfies t — {gigQ^)~^w{gigQ^) then output gig^^ . Otherwise 
output Failure. 

If the algorithm outputs an element z E G, then z can serve as the Prover's 
original secret s; any solution of the conjugacy equation t — x~^wx does. In 
general, z can be different from s, and there are no means for the adversary to 
determine whether z — s. In spite of that. Eve, who is only trying to authenticate 
as the Prover, considers this z a success. On the other hand, since our goal is 
to show that the protocol is not computationally zero-knowledge, we estimate the 
probability to find s. Only this original secret element s is considered as a success 
in our analysis. Other outcomes that work for Eve (when z ^ s) are ignored. 

The theorems below give asymptotic bounds on the failure rate (for the original 
s) in the mean-set attack. We show that the probability of the failure can decrease 
linearly or exponentially, depending on the distribution fj,. 

Theorem 4.2 (Mean-set attack principle - I). Let G be a group, X a finite gener- 
ating set for G, s G G a secret fixed element, and ^i, ^2, • • ■ a sequence of randomly 
generated i.i.d. group elements, such that E(^i) = {g}. If ■ ■ ■ ,£,n is a sample of 
random elements of G generated by the Prover, ci , . . . , c„ a succession of random 
bits (challenges) generated by the Verifier, and 

J ri if Ci = 0; 
[ sri if Ci = l 

random elements representing responses of the Prover, then there exists a constant 
D such that 

P (s ^ §({y« I c, - 1, ^ 1, . . . , n}) • §({2/, | c, - 0, i = 1, . . . , n}) j < ^- 
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Proof. It follows from Theorem 12.51 that there exists a constant C such that 

C 



Pmy^ 



0,i = l,. 



,n})^{g})< 



Applying Chebyshev's inequality to Bernoulli random variables {ci} having E(ci) 
I and a'^. = J, we obtain 



'(|{i|c, = 0,i = l,...,n}|< J) 



< 



In more detail, if number of zeros in our sample of challenges is less than then 
the number of ones is greater or equal to and we have 



•( {i I Q =0,i = l,...,7l} < J) 



<- <P 



Note that 



and 



E 



n 

Ci ^ ^ 
2 



n 

^4^ 



En 



E 



n 

Ci 

2 



1 

> - 

- 4 



> 



En 
i=l '^i 



> 



< 



from the classical Chebyshev inequality for sample means with £ — j- 
It follows that 

4 AC 4 + 4C 
P(§({2/. I Q = 0, * = 1, . . . , n}) ^ {g}) < - + — < 

n n n 



Similarly, we prove that P(§({?/i | = 1, i = 1, 

P(s ^ Si{y, I c, = 1, z = 1, . . . , n}) • S({y, | c, = 0, z = 1 



"}) 7^ {sg}) < Hence, 
8C 



n 



□ 



Furthermore, we can get ChernofF-like asymptotic bound if we impose one restric- 
tion on distribution fi. Recall the original HoefFding's inequality ([17 J well-known 
in probability theory. Assume that {xi} is a sequence of independent random vari- 
ables and that every Xi is almost surely bounded, i.e., F{xi — Kxi 6 [a^, bi]) = 1 for 
some ai,bi £ M. Then for the sum Sn = Xi + . . . + Xn, the inequality 



P{Sn -IES'„ > ne) < exp 



holds. If Xi are identically distributed, then we get the inequality 



(4) 



P( -ixi 



Xn) — Exi > £ I < 2 exp 



2e2 



(6-a)2 

Now we can prove the Mean-set attack principle with exponential bounds. 

Theorem 4.3 (Mean-set attack principle - II). Let G be a group, X a finite 
generating set for G, s & G a secret fixed element, and ^1,^2,- ■• a sequence of 
randomly generated i.i.d. group elements, such that E(^i) = {g}. //^i, ■ ■ ■ ,£.n is a 
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sample of random elements of G generated by the Prover, ci , . . . , c„ a succession of 
random hits (challenges) generated by the Verifier, 



Ui 



if a = 0; 
ifci^l 



random elements representing responses of the Prover, and the distribution fi has 
finite support, then there exists a constant D — D(G,ii) such that 

^§({2/, |c, = l,J = l,...,n}) .§({2/, |c, = 0,* = l,...,n})"'^ < 0(e-^"). 




Proof. It follows from Theorem 12. 61 that there exists a constant C such that 

P(§({y, I Q = 0, * = 1, . . . , n}) ^ {g}) < o(e-f^l{'l-^=o.-i.-.«}l). 
Applying inequality (|4]) to Bernoulli random variables {ci}, we get 

\i=l / 

Thus, we obtain a bound 

P(S({y. \c,^0,^ = l,...,n})^ {g}) < e""/*^ + 0(e"^"/4). 

Similarly, we prove that P(§({yi \ Ci ~ l,i = ^ {sg}) < e^"/* + 

0{e'Cn/4y Hence, 

P(s ^ H{y^ I Q = 1, ^ - 1, . . . , n}) • §({y, I c, = 0, z = 1, . . . , < 0(e-^") 

where D = min{ 1/8, C/4}. □ 

Algorithm 14.11 can fail. Nevertheless the pair of the obtained elements go,gi 
often encodes some additional information about the secret s. Indeed, assume that 
E/i = {g}. The element go obtained at step A of Algorithm 14 . 1 1 can be viewed as a 
product gcQ for some eq £ G. Similarly, the element gi can be viewed as a product 
sgei for some ei G G. Hence Algorithm 14. 1 1 outputs the secret element s whenever 
gigo^ = sgeiCQ^g'^ = s, i.e., whenever eiCg ^ = 1. 

Now, assume that Algorithm 14 . 1 1 has failed, i.e., giGq ^ ^ 1. In this case, one can 
try to reconstruct the secret element s as a product 

51 ■ e • ffcT^ = sgei ■ e ■ eg ^g"^ 

where e is an unknown element of the platform group. Clearly, e gives a correct 
answer if and only ifei ■ e ■ Cq^ = 1 or e = e^^eo. The element 

(5) e^^eo 

is called the error of the method. Clearly, one only needs to enumerate all words e 
of length up to jej^^eol to reconstruct the required s in the form gieg^^ . If a secret 
element s is chosen uniformly as a word of length I and |e^^eo| < I, then we gain 
some information about s, since the search space for s reduces. We can improve 
Algorithm 14. II bv adding such enumeration step as follows. 

Algorithm 4.4. (The attack 2) 

Input: The Prover's pubhc element {t, w). Sequences Rq and Ri as in the protocol. 

The number k & N - the expected length of error element ciCq ^. 

Output: An element z satisfying the equality t — z^^wz (which can be considered 
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as the Prover's private key), or Failure. 
Computations: 

A. Apply Algorithm 13. II to i?o and obtain (70- 

B. Apply Algorithm 13. II to Ri and obtain gi. 

C. For every word e of lengths up to fc, check if gieg^^ satisfies the equality t — 
(5i6<?(7^)~^^(5i6ff(r^) if output giegQ^. Otherwise output Failure. 



To demonstrate the practical use of our mean-set attack, we perform a series 
of experiments, which we describe below. In [TT] two different methods of 
generation of nonce elements were proposed, both with the same platform group 
Bn, which has the following (Artin's) presentation 



We distinguish between the two ways, classical ([H]) and alternative ([31]), to 
generate elements of the underlying group by performing two different sets of ex- 
periments outlined below in Sections 15.11 and 15.21 In both cases, we observe that 
the secret information of the Prover is not secure, and the probability to break the 
protocol grows as the number of rounds of the protocol increases. All experiments 
are done using the CRAG software package [5]. 

5.1. Classical key generation. Classical key generation of the elements of Bn 
was suggested in |llj with parameters n = 50 (rank of the braid group) and the 
lengths of private keys L = 512. The length function relative to the Artin generators 
{cti, . . . , CTn-i} is iVP-hard. That is why in this paper, as it was already mentioned 
in Sectionini we use the approximation of geodesic length method, proposed in |24) . 
See [231 [301 [2ni [22] for a series of successful attacks using this method. We want 
to emphasize that we compute the sampling weight values in the Algorithm 13.11 
which is a subroutine in Algorithm I4.H using the approximated distance function 
values in _B„. 

One of the disadvantages of the approximation algorithm that we used is that 
there is no polynomial time upper bound for that as it uses Dehornoy handle-free 
forms |10) . As a result we do not know the complexity of our algorithm and we do 
not know how our algorithm scales with parameter values. In each experiment we 
randomly generate an instance of the authentication protocol and try to break it, 
i.e., find the private key, using the techniques developed in this paper. Recall that 
each authentication is a series of k 3-pass commitment-challenge-response rounds. 
Therefore, an instance of authentication consists of k triples (xi, Ci,ri), i = 1, . . . , fc 
obtained as described in Section 11.11 Here Xi is a commitment, Ci is a challenge, 
and ri is a response. A random bit Ci is chosen randomly and uniformly from the 
set {0, 1}. In our experiments we make an assumption that exactly half of Ci's are 
and half are 1. This allows us to see an instance of the protocol as a pair of 
equinumerous sets Rq — {ri, . . . , rj,/2} C Bn and i?i = {sr[, . . . , sr'^^.^} C Bn. 

The main parameters for the system are the rank n of the braid group, the 
number of rounds k in the protocol, and the length L of secret keys. We generate 
a single instance of the problem with parameters (n, fc, L) as follows: 
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• A braid s is chosen randomly and uniformly as a word of length L over a 
group alphabet {cri, . . . , (T„-i}- This braid is a secret element which is used 
only to generate further data and to compare the final element to. 

• A sequence Rq = {ri, . . . , ?'j,/2} of braid words chosen randomly and uni- 
formly as words of length L over a group alphabet {cti, . . . , ct„-i}. 

• A sequence i?i = {sr'i^ . . . , srj.y2} of braid words, where r'^ are chosen ran- 
domly and uniformly as words of length L over a group alphabet {cti, . . . , cr„_i}. 

For every parameter set (n, k,L) we generate 1000 random instances {Ro,Ri) and 
run Algorithm 14.11 which attempts to find the secret key s used in the generation 
of Ri. 

Below we present the results of actual experiments done for groups -B5, -Bio, 
and -620- Horizontally we have increasing number of rounds k from 10 to 320 and 
vertically we have increasing lengths L from 10 to 100. Every cell contains a pair 
{P%, E) where P is a success rate and E is an average length of the error ^ of the 
method for the corresponding pair (L, k) of parameter values. All experiments were 
performed using CRAG library 5^. The library provides an environment to test 
cryptographic protocols constructed from non-commutative groups, for example the 
braid group. 



L\k 


10 


20 


40 


80 


160 


320 


10 


(19%, 1.3) 


(72%, 0.3) 


(97%, 0.04) 


(100%, 0) 


(100%, 0) 


(100%, 0) 


50 


(2%, 13.4) 


(8%, 9) 


(68%, 1.3) 


(93%,0.1) 


(100%, 0) 


(100%, 0) 


100 


(0%, 53.7) 


(0%, 48.1) 


(6%, 26.9) 


(44%, 14) 


(65%, 14.7) 


(87%, 5) 



Table 1. Experiments in B^. 



L\k 


10 


20 


40 


80 


160 


320 


10 


(15%, 1.8) 


(68%, 0.3) 


(98%, 0) 


(100%, 0) 


(100%, 0) 


(100%, 0) 


50 


(0%, 4.5) 


(23%, 1.3) 


(82%, 0) 


(97%, 0) 


(99%, 0) 


(100%, 0) 


100 


(1%, 41) 


(7% ,23.5) 


(33%,5) 


(79%, 1) 


(97%, 0.6) 


(98%, 1.1) 



Table 2. Experiments in Biq. 



L\k 


10 


20 


40 


80 


160 


320 


10 


(15%, 1.6) 


(87%, 0.1) 


(100%, 0) 


(100%, 0) 


(100%, 0) 


(100%, 0) 


50 


(0%, 5.4) 


(23%, 1.7) 


(81%, 0.2) 


(100%, 0) 


(100%, 0) 


(100%, 0) 


100 


(0%,7.8) 


(15%, 2) 


(72%, 0.3) 


(97%, 0) 


(100%, 0) 


(100%, 0) 



Table 3. Experiments in -620- 



We immediately observe from the data above that: 

• the success rate increases as the number of rounds (sample size) increases; 

• the success rate decreases as the length of the key increases; 

• the success rate increases as the rank of the group increases; 

• the average error length decreases as we increase the number of rounds. 
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The first observation is the most interesting since the number of rounds is one of the 
main rehabihty parameters of the protocol, namely, the soundness error decreases 
as 1/2^ as the number of rounds k gets larger. But, at the same time, we observe 
that security of the scheme decreases as k increases. The second observation can be 
interpreted as follows - the longer the braids are the more difficult it is to compute 
the approximation. The third observation is easy to explain. The bigger the rank 
of the group the more braid generators commute and the simpler random braids 
are. 

5.2. Alternative key generation. As we have mentioned in Section [L2l the Sib- 
ert et al. scheme, proposed in [33], does not possess perfect zero knowledge property. 
Nevertheless, the authors of p4l try to achieve computational zero knowledge by 
proposing a special way of generating public and private information. They provide 
some statistical evidence that the scheme can be computationally zero knowledge 
if this alternative key generation is used. In this section we, firstly, outline the pro- 
posed key generation method and, secondly, present actual experiments supporting 
our theoretical results even for this special key generation method. 

The method of generating of braids in [34| can be translated to the notation of 
the present paper as follows. The Prover generates 

• nonce elements r as products of L uniformly chosen permutation braids pi 
(see [13]) from _B„ 

in particular, r belongs to the corresponding positive monoid. 

• the secret key s as the inverse of a product of L uniformly chosen permu- 
tation braids from i.e.. 

We made a very useful observation when doing the experiments with so generated 
nonce elements r. We observed that the mean-set in this case is often a singleton set 
of the form {A'^'}, where A is a half-twist braid and A; £ N. Therefore, to enhance 
the performance of Algorithm 13.11 in step B, we test not only generators x G X^^, 
but also X = A, and if (in step C) A minimizes the value of Mn{gx), then we put 
X — xA and return to step B. 

In fact it is an interesting question if the uniform distribution on a sphere in a 
Garside monoid has a singleton mean set {A^+} for some /c G N, where Aq+ 
is the Garside element. A, in G+T This is clearly true for free abelian monoids. 
As we mention above, experiments show that the same can be true in the braid 
monoid. 

Below we present the results of actual experiments done for the group -Bio- 
Horizontally we have increasing number of rounds k from 10 to 320 and vertically 
we have increasing lengths L (in permutation braids) from 3 to 10. Every cell 
contains a pair (P%, E) where P is a success rate and E is the average length of 
the error for the corresponding pair (L, k) of parameter values. 

Since the average Artin length (denoted L' in the tables below) of a permutation 
braid on n strands is of order , the length of nonce elements grows very fast with 
L; it is shown in the leftmost column of the tables in parentheses. For instance, we 
can see that for Biq the average length of a product of L = 3 permutation braids 
is 81, the average length of a product of L = 5 permutation braids is 138, etc. 
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L(L')\k 


10 


20 


40 


80 


160 


320 


3 (81) 


(0%, 24.6) 


(0%, 22.5) 


(1%, 19.6) 


(4%, 16) 


(7%, 13.1) 


(25%, 12.3) 


5 (138) 


(0%, 46.7) 


(0%, 40.9) 


(0%, 32.5) 


(2%, 23.3) 


(10%, 17.6) 


(28%, 14.2) 


10 (274) 


(0%, 110.2) 


(0%, 102.6) 


(0%, 103.5) 


(0%, 96.3) 


(0%, 92.7) 


(0%, 87.9) 



Table 4. Success rate and average length of the error for experi- 
ments in BiQ. 



Again, we observe that success rate increases as we increase the number of 
rounds, and the average error length decreases as we increase the number of rounds. 

6. Defending against the attack 

In this section, we describe several principles one can follow in order to defend 
against the mean-set attack presented in this paper or, at least, to make it computa- 
tionally infeasible. Defending can be done through a special choice of the platform 
group G or a special choice of a distribution /i on G. Another purpose of this 
section is to motivate further study of distributions on groups and computational 
properties of groups. 

6.1. Groups with no efRciently computable length functions. One of the 

main tools in our technique is an efficiently computable function dx{-,-) on G. 
To prevent the attacker from computing mean-sets, one can use a platform group 
G with a hardly computable length function dx{-,-) relative to any "reasonable" 
finite generating set X. By reasonable generating set we mean a set, which is 
small relative to the main security parameter. Examples of such groups exist. 
For instance, length function for any finitely presented group with unsolvable word 
problem is not computable. On the other hand, it is hard to work with such groups, 
as they do not have efficiently computable normal forms. 

A more interesting example is a multiplicative group of a prime field Z*. The 
group Z* is cyclic, i.e., Z* = (a) for some primitive root a of p. It is easy to see 
that the length of an element G Z* satisfies 

l^l^floga^ if log,6< (p-l)/2, 

1 p — 1 — log^ b otherwirse, 

and hence the problem of computing the length of an element and the discrete 
logarithm problem are computationally equivalent. The discrete logarithm problem 
is widely believed to be computationally hard and is used as a basis of security of 
many cryptographic protocols, most notably the ElGamal [12_ and Cramer-Shoup 
[8j cryptosystems. In other words, Z* is another example of a group with hardly 
computable length function. 

6.2. Systems of probability measures. Let G be a platform group. Recall that 
our assumption was that the Prover uses a fixed distribution on the set of nonce 
elements, i.e., every element is generated using the same random generator. 
Instead he can use a sequence of probability measures where each measure 
fii, i = 1, 2, . . ., is not used more than once (ever), i.e., every nonce r^, ? = 1, 2, . . ., 
is generated using a unique distribution {^i}. In this case, the attacker does not 
have theoretical grounds for working with sampling mean-sets. Nevertheless, it 
can turn out that the sequence of random elements ri , r2 , . . . can have some other 
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distribution and the attack will work. Another difficulty with implementing this 
idea is that there is no systematic study of distributions on general finitely generated 
groups and, in particular, braid groups. So, it is hard to propose some particular 
sequence of probability distributions. Some aspects of defining probability measures 
on infinite groups are discussed in ^ and [7]- 

6.3. Undefined mean-set. Another way to foil the attack is to use a distribution 
/X on G such that IE(/i) is not defined, i.e., the corresponding weight function is not 
totally defined. In that case the assumption of Theorem 14.21 fails, and it is easy to 
see that the sampling weights Mn{g) tend to oo with probability 1. Nevertheless, we 
still can compare the sampling weight values, as explained in [35] and [35], where it 
is shown that the condition of finiteness of M^^^ can be relaxed to that of finiteness 
of M'^^\ If M^^) is not defined then that means that the lengths of commitments 
are too large and are impractical. 

6.4. Large mean-set. Also, to foil the attack one can use a distribution /i on G 
such that the set E/z is large. As an example consider an authentication protocol in 
[33] . based on the difficulty of computing discrete discrete logarithms in groups of 
prime order. The space of nonce elements in [33] is an additive group acting by 
exponentiations on a bigger group Z*. It is easy to compute length in (Z^, +) = (1). 
But, since the nonce elements r G Z^ are chosen uniformly, it follows that the mean- 
set is the whole group Z^ (the uniform measure is right-invariant) and in this case 
it is impossible to detect the shift s and the mean-set attack fails. We also refer 
to [32| for a modification of |33j where nonce elements are not taken modulo q and 
security proof requires a boundary on the number of times the same key is used. 

Now, let G be an infinite group. It is impossible to generate elements of G 
uniformly, but one can try to achieve the property described below that can foil the 
mean-set attack. Choose a probability measure /i on G so that the mean-set set E/i 
is large. Recall that Algorithm 14. II can find up to one element of G minimizing the 
weight function. For that it uses Algorithm 13.11 which randomly (according to some 
measure i/) chooses an element of g G G and then gradually changes it (descends) 
to minimize its M value. This way the distribution v on the initial choices g G G 
defines a distribution z^* on the set of local minima of A I on G. More precisely, for 

5'eG, 

v*^{g') — fJ.{g G G I Algorithm 13 . II stops with the answer g' on input g}. 

Denote by fis the shifted probability measure on G by an element s defined by 
l^s{g) = tJ'{s~^g)- If S* C G is the set of local minima of the weight function 
M relative to /i then the set sS is the set of local minima relative to /is • But the 
distribution i^*^ does not have to be induced from r/* by the shift s, i.e., the equality 
'^'^isid) — ^At('5~^5) does not have to hold. In fact, the distributions f* and i'*^ can 
"favor" unrelated subsets of S and sS respectively. That would definitely foil the 
attack presented in this paper. On the other hand, if t'* and are related, then 
the mean-set attack can still work. 

Finally, we want to mention again that probability measures on groups were not 
extensively studied and there are no good probability measures known on general 
groups and no general methods to construct measures satisfying the desired prop- 
erties. Moreover, the problem of making distributions with large mean-sets is very 
complicated because not every subset of a group G can be realized as a mean-set. 
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See [27] and [26] for more details. A number of open questions arise regarding 
the problems mentioned above, but dealing with them is beyond the scope of this 
paper. 

7. Conclusion 

In this paper, we used the probabilistic approach to analyze the Sibert et al. 
group-based authentication protocol. We have proved that the scheme does not 
meet necessary security compliances, i.e., it is not computationally zero-knowledge, 
in practice. To conduct our analysis, we introduced a new computational problem 
for finitely generated groups, the shift search problem, and employed probabilistic 
tools discussed in [27] to deal with the problem. In particular, the concept of 
the mean-set and the generalized strong law of large numbers for random group 
elements with values in the vertices of the connected and locally-finite Cayley graph 
of a given infinite finitely-generated group are used. The rate of success of getting 
the secret key, as a solution to the shift search problem, has been proved to be 
linear or exponential depending on the assumptions one is willing to make. In 
addition, we have provided experimental evidence that our approach is practical 
and can succeed even for braid groups. This work shows, among other things, that 
generalization of classical probabilistic results to combinatorial objects can lead to 
useful applications in group-based cryptography. 
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